Skills
skills/notque/claude-code-toolkit/codex-code-review/Gen Agent Trust Hub

codex-code-review

Fail

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill directs the agent to execute the codex command with the --dangerously-bypass-approvals-and-sandbox flag. This flag is explicitly intended to disable security isolation mechanisms (like the bwrap sandbox), which increases the risk of unauthorized system access.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of a Node.js package @openai/codex. This package name does not correspond to an official OpenAI utility and represents a supply chain risk, especially given the deceptive claim of supporting a 'GPT-5.4' model.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its processing of untrusted data:
  • Ingestion points: User-supplied input for 'scope', 'focus areas', and 'context summary' in Phase 1 and 2.
  • Boundary markers: None; the user input is directly interpolated into the Codex prompt.
  • Capability inventory: The agent uses Bash to execute codex exec and has Read access to the filesystem.
  • Sanitization: None; user input is not escaped or validated before being passed to the shell or the secondary model.
  • [COMMAND_EXECUTION]: The skill passes a dynamically constructed prompt string as a shell argument. If the agent fails to properly escape shell metacharacters in the user-provided focus areas, it could lead to command injection on the host system.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 1, 2026, 05:55 AM